Published:2025/06/26 Last Updated:2025/06/26
JVN#92520966
Multiple vulnerabilities in iroha Board
Overview
iroha Board provided by iroha Soft Co., Ltd. contains multiple vulnerabilities.
Products Affected
- iroha Board versions v0.10.12 and earlier
Description
iroha Board provided by iroha Soft Co., Ltd. contains multiple vulnerabilities listed below.
- Forced browsing (CWE-425)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3
- CVE-2025-41404
- Cross-site request forgery (CWE-352)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-48497
Impact
- Non-public contents may be viewed by an attacker who can log in to the affected product (CVE-2025-41404)
- If a user accesses a specially crafted page while logged in to the affected product, arbitrary learning histories may be registered (CVE-2025-48497)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version that addresses these vulnerabilities.
- iroha Board v0.10.13
Vendor Status
| Vendor | Link |
| iroha Soft Co., Ltd. | Security (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-41404 |
|
CVE-2025-48497 |
|
| JVN iPedia |
JVNDB-2025-000043 |
Update History
- 2025/06/26
- Information under the section [Impact] was corrected.